DE10211280A1 - Motor vehicle X-by-wire system for vehicle braking and control method therefor, whereby a communications controller for an actuator and process computer module also acts as a monitoring unit for the process controller - Google Patents

Abstract

Method for control of a component (Akt1) of a distributed safety-related system, whereby the component is controlled by a process computer (Pro1) that is assigned to it. The computer is connected to a communications system (K1) via a communications controller (S1). An independent monitoring unit is provided for monitoring the process computer with the role of the monitoring unit optimally fulfilled by the communications controller (S1). An Independent claim is made for a communications controller for connection of a process computer to a communications system, whereby the controller also serves to check the operation of the process computer by instigation of a question and answer session with it.

Description

State of the art

The present invention relates to a method for Control of a component of a distributed security-relevant system, especially one Component of an X-by-wire system in a motor vehicle. The component is assigned by one of the components Process computer controlled by a Communication controller to a communication system connected. It is one of the process computers provided independent monitoring unit through which the Process computer is monitored.

The invention also relates to a Communication controller for connecting a Process computer to a communication system, the Process computer for controlling a component of a distributed, security-relevant system, in particular one component of an X-by-Wire system in one Serves motor vehicle, and on the communication controller to realize a data transfer between the Process computer and the communication system Communication protocol expires.

A method of the type mentioned at the outset is, for example, from DE 198 26 131 A1 known. In this publication there is a distributed security-relevant system as one Electrical braking system of a motor vehicle described. Components of this system are called the brakes of the Motor vehicle or more precisely as actuators for Control of the brakes trained. Such a system is to a high degree security-related, since a faulty one Control of the components, especially a faulty one Apply the brakes to an unpredictable Security risk. For this reason, one incorrect control of the components with certainty be excluded.

Essential features of the known brake system are a pedal module for central driver request recording, four wheel modules for wheel-specific control of the brake actuators and a processing module for calculating higher-level brake functions. The communication between the individual modules can take place through a communication system. In Fig. 2 of the present patent application, the internal structure is a wheel module with different logical levels exemplified. The logical level L1 comprises at least the calculation of the control functions for the wheel brakes, while the logical levels L2 to L4 contain various functions for computer monitoring and functional testing of L1.

• a) Ermitteln mindestens eines Ansteuersignals (f_1) für die Bremse durch ein erstes Mikrorechnersystem (R_1A) in Abhängigkeit von mindestens einem Eingangssignal (a_R2, a_R3, a_R4; a_V, ref; s_R2, s_R3, s_R4; Δs_V, ref; v_F; n_1; d_1; F_li; a_R1; s_R1). Die Eingangssignale werden dem Mikrorechnersystem (R_1A) über ein Kommunikationssystem (K_1), bspw. ein Bussystem, zur Verfügung gestellt.
• b) Ermitteln mindestens eines logischen Ansteuersignals (e_1H). Das logische Ansteuersignal (e_1H) wird zumindest teilweise von einer von dem ersten Mikrorechnersystem (R_1A) unabhängigen Überwachungseinheit (R_1B) in Abhängigkeit von dem mindestens einen Eingangssignal ermittelt.
• c) Vergleichen des mindestens einen Ansteuersignals (f_1) mit dem mindestens einen logischen Ansteuersignal (e_1H) in einer Leistungselektronik (LE_1K).
• d) Ermitteln mindestens eines Freigabesignals (innerhalb der Leistungselektroniken LE) in Abhängigkeit von dem Ergebnis des Vergleichs des Ansteuersignals (f_1) und des logischen Ansteuersignals (e_1H); und
• e) Weiterleiten des mindestens einen Ansteuersignals (f_1) oder eines von dem Ansteuersignal (f_1) abhängigen Signals (i_1K) an die Bremse, bzw. an einen Aktuator Akt_1 für die Bremsbacken, falls das mindestens eine Freigabesignal einen vorgebbaren Wert aufweist.

The control of the brakes or the electric motors for actuating the brake shoes includes the following steps for each wheel module:

• a) determining at least one control signal (f_1) for the brake by a first microcomputer system (R_1A) as a function of at least one input signal (a_R2, a_R3, a_R4; a_V, ref; s_R2, s_R3, s_R4; Δs_V, ref; v_F; n_1; d_1; F_li; a_R1; s_R1). The input signals are made available to the microcomputer system (R_1A) via a communication system (K_1), for example a bus system.
• b) determining at least one logic control signal (e_1H). The logic control signal (e_1H) is determined at least partially by a monitoring unit (R_1B) which is independent of the first microcomputer system (R_1A) as a function of the at least one input signal.
• c) comparing the at least one control signal (f_1) with the at least one logic control signal (e_1H) in power electronics (LE_1K).
• d) determining at least one enable signal (within the power electronics LE) as a function of the result of the comparison of the control signal (f_1) and the logic control signal (e_1H); and
• e) forwarding the at least one control signal (f_1) or a signal (i_1K) dependent on the control signal (f_1) to the brake, or to an actuator Akt_1 for the brake shoes, if the at least one enable signal has a predeterminable value.

The monitoring unit (R_1B) is used in particular for Detection of systematic (so-called common mode) errors. On Examples of such errors are errors in the Power supply. In the known braking system Monitoring unit (R_1B) as an independent Microcomputer system trained. Alternatively, the Monitoring unit (R_1B), however, also as one Hardware module without its own processor, but the specific logical functions or, if one Has registers, can even perform switching functions. An example of such a hardware module is, for example. an ASIC (Applied Specific Integrated Circuit), an FPGA (Field-Programmable Gate Array) or one Monitoring circuit (so-called watch dog).

A disadvantage of the prior art is that the logical Level L4 is always implemented in a separate component, that - e.g. in wheel modules of an electrical braking system - within the distributed security-relevant system must also be provided several times.

The present invention is based on the object Establishment of a distributed security-relevant system simplify and at the same time the achievable security at least to maintain the release of the components.

To achieve this object, the invention is based on of the method of the type mentioned above that the Tasks of the monitoring unit by the Communication controllers are met.

Advantages of the invention

According to the invention, it is therefore proposed to separate monitoring unit and the Tasks of the monitoring unit instead of such Units of the distributed security-relevant system let it run, which is provided in the system anyway are. These units must have their own intelligence have to own at least to a limited extent To be able to make calculations. As such a system Unit, which according to the invention the tasks of Monitoring unit can take over is suitable in particular the communication controller via which the Process computer connected to the communication system is.

The use of communication systems in motor vehicles has become the standard for almost all manufacturers become. For example, data can be after the CAN (Controller Area Network) -, TTCAN (Time Triggered CAN) -, TTP / C (Time Triggered Protocol for Class C according to SAE) - or according to the FlexRay protocol become. The logs usually have one so-called global time, which is a system-wide valid Represents time base. She plays in for timing communication (e.g. with time-controlled Communication protocols) and in the application (e.g. at time-controlled operating systems), but also for Diagnostic functions and error detection or Error handling plays an important role. So that means that every communication controller of such a system has its own watch (quartz), which has a mechanism global time even with all the other clocks in that System is synchronized. Because of these opportunities the communication controller can easily handle the Monitoring of the microcomputer can be used.

According to an advantageous development of the present Invention is proposed that the Communication controller a list of questions about Is available to the process computer to be monitored Predeterminable times are made, the Process computer the communication controller an answer there, which is then evaluated by this. That kind of Monitoring a process computer is also used as a question Answer communication. The list is preferably in a storage element, in particular one Random access memory, a read-only memory or one Flash memory, saved. The questions are simple, for example Values with multiple bits set up by the process computer can be processed in a predefinable manner. The editing can range from a simple inversion of the question to a complex calculation including memory test are sufficient. The result of the editing is the answer of the Process computer to the question asked.

According to an advantageous embodiment of the present Invention proposes that the answer to this it is checked whether they are within a predeterminable Period. Once the process computer has a question is made available, a time counter is started. If the answer is not given by the process computer within one by the start time and the duration defined time window, an error of the Process computer closed, and there will be suitable Countermeasures to avoid safety-related Situation initiated.

Alternatively or additionally, it is proposed that the Answer is checked to see if it is correct. To For this purpose it is checked whether the answer is in a list entered as the correct answer to the question asked is. The right answers can be found together with the corresponding questions in a storage element, in particular a random access memory, a read-only Memory or a flash memory, the Communication controller be saved.

According to an advantageous development of the present The process computer questions the questions of the invention Communication controller placed periodically. alternative can also ask questions after a certain time Samples or be put at random.

As a suitable countermeasure for a wrong answer and / or a time that cannot be predefined response, the communication controller can according to a preferred embodiment of the invention Take over the shutdown of the process computer. Alternatively or in addition, the communication controller can Switch off the component to be controlled.

As a further solution to the problem of the present Invention is based on the communication controller of the type mentioned in the introduction that the Communication protocol is supplemented by mechanisms that it enable the communication controller that Monitor process computers. These to be supplemented Mechanisms particularly affect the (periodic) Asking questions, setting a time counter for that too monitoring time window, monitoring the time window and checking the response of the process computer.

According to an advantageous development of the invention in particular suggested that the Communication protocol for mechanisms for executing the method according to the invention is supplemented.

Finally, it is suggested that the Communication controller a memory element, in particular a random access memory, a read-only memory or a Flash memory, on which questions for the Process calculator and correct answers for a question Answer communication with the process computer saved are.

drawings

Other features, applications and advantages of Invention result from the following description of embodiments of the invention, which in the Drawing are shown. Thereby form all described or illustrated features for themselves or in any Combination the subject of the invention, regardless of their summary in the claims or their Relationship and regardless of their wording or Representation in the description or in the drawing. It demonstrate:

Fig. 1 is a distributed safety-related system in the neck for the realization of a method according to a preferred embodiment;

Fig. 2 is a well-known from the prior art control module of a distributed safety-relevant system;

Fig. 3 is a flow diagram of a method according to a preferred embodiment; and

FIG. 4 shows a section of the flowchart from FIG. 3 relating to question-answer communication between a communication controller and a process computer.

Description of the embodiments

The method according to the invention is described below of an electrical braking system explained in more detail. The However, the present invention is not based on electrical Braking systems limited, but rather for any Distributed security-relevant systems can be used with which system components are controlled via process computers become. The present invention allows a safe one Release of the components without the use of additional Monitoring units for monitoring the process computers. The tasks of the monitoring units are rather from Units of the safety-related system taken over are present in the system anyway, especially from Communication controllers via which the process computer are connected to a communication system.

The braking system includes for each vehicle wheel to be braked a wheel module R_1, R_m. Each wheel module R_1, R_m comprises one Microcomputer system P_1, P_m and an enabling circuit FS_1, FS_m. The microcomputer systems P_1, P_m include one process computer each Pro_1, Pro_m and one intelligent communication controller S_1, S_m. The Process computer Pro_1, Pro_m and the Communication controller S_1, S_m of a microcomputer system P_1, P_m can be on a semiconductor chip be summarized; however, they are always different from each other independent, separate units. each Wheel module R_1, R_m is via a communication controller S_1, S_m to a physical data bus K_1 connected. For example, data is transferred via the data bus the TTCAN, TTP / C or FlexRay protocol. The Wheel modules R_1, R_m each control actuators Akt_1, Akt_m on, for example one or more electric motors for Actuation or for releasing the wheel brakes includes.

The monitoring concept known from the prior art (cf. FIG. 2) for checking the process computer (Pro_1) by means of a so-called question-answer communication is replaced by the process computer communication controller concept according to the invention shown in FIG. 1. The communication controller S-1 takes over the task of the monitoring unit R_1B from the prior art and periodically asks questions to the process computer Pro_1 in order to receive the correct answer within a predefinable time window. In the event that the time window is not met or the correct answer to the question does not arrive, the communication controller S_1 switches off the process computer Pro_1 (signal A) and / or the connected component Akt_1 via the release circuit FS_1 (signal B).

To implement the inventive concept, the Communication controller S_1 is only a list of Questions and answers are added. The Communication protocol of the communication controller S_1 is supplemented by mechanisms that periodic polling, setting the appropriate timers for the time window, monitoring this time window and reviewing the Allow answer. Finally, the Communication controller S_1 one pin (signal output A) to release the process computer Pro_1 and a pin (Signal output B) to enable the enable circuit FS_1. These pins are used by the communication controller S_1 served.

The communication controller S_1 carries out a question-answer Communication with the process computer Pro_1 from the normal protocol flow (actual sending and receiving of messages, message confirmation, possibly Membership service and global time) is built in. from that there is a slight additional burden on the Communication controller S_1, but a significant one Improvement in the use of existing units within a distributed security-relevant system. Furthermore, the communication controller S_1 Software and hardware interfaces available to the Connection to the release circuit FS_1 or to one enable suitable pin of the process computer Pro-1. The enabling circuit FS_1 is therefore on the one hand by the Process computer Pro_1 and on the other hand from that Communication controller S_ operated. In addition, the Process computer Pro_1 even with that Communication controller S_1 are coupled so that the Process computer Pro_1 itself can be switched off, e.g. B. by coupling to a reset line of the process computer Pro_1.

The implementation of the process computer according to the invention Communication controller concept for implementing the Question-answer communication is with every control unit possible with a communication controller which is an independent and independent watch having. Ideally, this watch is even over one Clock synchronization mechanism to a global time of day entire distributed security-relevant system synchronized. The communication controller S_1 must Implement the mechanism of question-answer communication and the necessary configuration data is available have or interfaces to the process computer Pro_1 and provide to the release circuit FS_1.

The communication controller S_1 needs the list of questions and the list of correct answers in its permanent Have programmed memory. For example, a Flash EPROM particularly good, mostly also on the other Configuration data for the actual communication are saved. Also the clock (timer) for putting on the Timeouts for the time window to be monitored must be made in advance can be configured. When using an error counter (Count) must be the upper bound (limit) for this can also be defined.

The communication controller S_1 offers a hardware Interface, which is a wiring of the resulting Switch-off logic from the question-answer communication with the Process computer Pro_1 (signal A) and with the additional Enable circuit FS_1 (signal B) allowed.

The questions and the answers are common Memory area (Dual Port RAM) DPRAM_1 between the Process computer Pro_1 and the communication controller S_1 replaced. This common memory area DPRAM_1 forms a software interface between the Communication controller S_1 and the process computer Pro_1. For example, the communication controller S_1 transmits a 16-bit Value set in the software interface (question) and the response within the timeout from the software Interface read out. In addition, another Software interface in the communication controller S_1 are available to view the status of the question-answer To make external communication available (e.g. "Timeout exceeded" or "Answer OK").

The communication controller S_1 must evaluate the response received from the process computer Pro_1 and one Compare with those saved in the answer list Carry out answers. These are in the normal Communication protocol additional mechanisms too take into account an addressing of the table in which the answer list is filed, and a simple comparison enabled by two values. You may also be able to Error counter (Count) can be managed.

The method according to the invention is explained in detail below with reference to FIGS. 3 and 4. The method begins in a function block 1 . The initial situation is an active distributed network with functioning participants (communication controller S_1, S_m and their process computer Pro_1, Pro_m). There is no signal to switch off the process computer Pro_1 or the component Akt_1 to be controlled (via the enable circuit FS_1).

A system start is carried out in a function block 2 . An initialisation of the communication controller S_1 and the process computer is then performed Pro_1 in a functional block. 3 The normal application then starts sending and receiving messages (function block 4 ). In addition, the communication controller S_1 also initiates the question-answer communication (function block 5 ). The two sequences, which are only symbolically represented by the function blocks 4 and 5 , are routines which can be executed not only one after the other, but also next to one another, ie simultaneously or quasi in parallel. The question-answer routine 5 is shown in detail in FIG. 4 and is described in more detail below.

A query block 6 then checks whether the method is to be ended or not. The method is ended, for example, when the corresponding subscriber or the entire distributed system is shut down. If the method is not to be ended, the process branches back to function block 4 . Otherwise, the method according to the invention is ended in a function block 7 .

The question-answer routine from the functional view 5 is described in more detail in FIG. 4. In a function block 51 , a specific question is selected from the question catalog stored in the memory element EPROM of the communication interface S_1. The selection of a question can be a cyclical processing of the questionnaire or processing according to a predefinable pattern or according to a random process (e.g. coupled to the current system time of the communication controller S_1). The process computer Pro_1 is then provided with the selected question in a function block 52 via the software interface DPRAM_1 and the time counter (timer) is started in a function block 53 . The monitoring of the time window is part of the further protocol sequence in the communication controller S_1 and can also be solved in different ways, e.g. B. by so-called polling or by a so-called capture-and-compare logic in the communication controller S_1.

Suitable software is available in the process computer Pro_1, which processes the question of the communication controller S_1 (function block 54 ) and determines a corresponding answer to the question (function block 55 ). The algorithms and methods used for this are not the subject of this invention and can range from a simple inversion of the question to a complex calculation including a memory test. The software in the process computer Pro_1 then transfers the answer in a function block 56 via the software interface DPRAM_1 to the communication controller S_1.

In a function block 57 , the response is then read from the software interface DPRAM_1 into the communication controller S_1. In a function block 58 , a comparison of the answer of the process computer Pro_1 with the correct answer entered in the answer list is carried out via an evaluation logic of the communication controller S_1. The communication controller S_1 normally receives the correct answer (output "no"). The result of the question-answer communication is additionally set in a status register (function block 59 ); in this case a positive status. From here, the question-answer routine 5 branches back to the function block 6 in FIG. 3. The next question can then be sent to the process computer Pro_1, e.g. B. after the timeout, and the question-answer routine 5 is run again. This results in a cyclical question-answer protocol. However, the next question can also be initiated at predetermined times (cf. also time-controlled communication protocols, which make each protocol step dependent on reaching a certain time).

In the event of an error (output "yes" from query block 58 ), the answer of the process computer Pro_1 does not match the corresponding correct answer to the question in the configured list of the communication controller S_1 or the defined time window was not adhered to.

As part of error handling, an error counter is first increased (function block 60 ). A signal for switching off the processor is then initiated in a function block Pro_1 61st Likewise, in a function block 62, the signal B for switching off the actuators Akt_1 can be sent out via the enable circuit FS_1. Steps 61 and 62 can be processed for every error handling. Alternatively, however, they can only be processed when the error counter, which was increased in function block 60 , has exceeded a predefinable limit value. Steps 61 and 62 stop the participation of the switched-off units Pro_1, Akt_1 in the communication until an orderly system restart takes place. The end of the method according to the invention is specified in a function block 63 , so that the method is ended the next time the query block 6 is run in the function block 7 .

Claims (11)

1. Method for controlling a component (Akt_1) of a distributed security-relevant system, in particular a component (Akt_1) of an X-by-wire system in a motor vehicle, the component (Akt_1) being assigned to a process computer (Pro_1) assigned to the component (Akt_1) ) is controlled, which is connected via a communication controller (S_1) to a communication system (K_1), and a monitoring unit is provided which is independent of the process computer (Pro_1) and through which the process computer (Pro_1) is monitored, characterized in that the tasks of Monitoring unit can be fulfilled by the communication controller (S_1). 2. The method according to claim 1, characterized in that that the communication controller (S_1) has a list with Questions are available that are to be monitored Process computer (Pro_1) provided at predefinable times be, whereby the process computer (Pro_1) the Communication controller (S_1) gives an answer by this is then evaluated. 3. The method according to claim 2, characterized in that the answer is checked to see if it took place within a predeterminable period of time. 4. The method according to claim 2, characterized in that the answer is checked to see if it is correct is. 5. The method according to claim 4, characterized in that the answer is checked to see if it is in a list as the correct answer to the question asked is entered. 6. The method according to any one of claims 2 to 5, characterized characterized that the process computer the questions periodically provided by the communication controller become. 7. The method according to any one of claims 1 to 6, characterized characterized that the communication controller the The process computer is switched off if the Answer is wrong and / or not within one predefinable period of time. 8. The method according to any one of claims 1 to 6, characterized characterized that the communication controller the The component to be controlled is switched off if the answer is wrong and / or not within one predefinable period of time. 9. Communication controller for connecting a Process computer (Pro_1) to a communication system (K_1), the process computer for controlling a component a distributed, security-relevant system, in particular a component of an X-by-wire system in serves a motor vehicle, and on the Communication controller (S_1) to implement a Data transfer between the process computer (Pro_1) and the communication system (K_1) a communication protocol expires, characterized in that the Communication protocol is supplemented by mechanisms that it enable the communication controller (S_1) to Process computer (Pro_1) to monitor. 10. Communication controller (S_1) according to claim 9, characterized in that the communication protocol around Mechanisms for performing a method according to one of the Claims 2 to 8 is supplemented. 11. Communication controller (S_1) according to claim 8 or 9, characterized in that the communication controller a memory element, in particular a random access memory, has a read-only memory or a flash memory the questions for the process computer and correct answers for a question-answer communication with the process computer are saved.